Google Redirect, 8 steps completed

[christo76]

My roommate apparently got a virus or more, on her computer. It was one of those fake shields with pop-ups saying things were infected that asking you to pay for software. I managed to get rid of that (I think). But then she noticed that google links were being re-directed to random sites.

I searched here, and found several similar cases, so I ran through the 8 steps. Log sheets are attached.

I also ran combofix, which seemed to be the next step in all the posts. Though I now see the sticky saying not to run it unless told, my bad. It did seem to have some issues running. I ran it once, and it downloaded a new version then during autoscan, a Microsoft error window (PEV.exe needed to close... do you want to send report...), but Combofix was still running so I just ignored the window. CF then restarted the computer after saying it found an infection. On start-up it CF came up and said it couldn't find Combo-fix.sys, then said it was creating a log sheet, then the computer just restarted, and CF never came back up. I renamed combofix to combo-fix and re-ran. This time, no windows popped up, it found no infections, but after it said it was creating a log sheet, it just restarted again and combofix never came back up. I looked and found the log sheet but it didn't really have any details, basically same as the one attached. I ran it a third time, and it found an infection, restarted, said it was creating log sheet, then restarted again, with no log sheet displayed.

The google redirect is still there. Any help would be greatly appreciated.

 

[Tmagic650]

Delete or fix this entry in the hijackthis log:
"O17 - HKLM\System\CCS\Services\Tcpip\..\{D34AE06B-90B9-4A29-884C-130EC9D093FA}: NameServer = 151.164.8.201,66.73.20.40"

After you fix this, try running the ESET Online Scanner:
Eset Scanner

Post your results

 

[kritius]

Thats not the complete ComboFix log, post it. Should be C:\ComboFix.txt

Don't fix that HijackThis entry.

 

[christo76]

I already 'fixed' the entry, and was running the enet scanner. Is there a way to replace that entry if needed?

As for the combofix log, that is all there is in c:\combofix.txt Though technically it is C:\Combo-fix\combofix.txt if that makes any difference.

I tried running combofix a few times and each time it restarts right after it says its preparing the log, and it never brings it up.

 

[Tmagic650]

So kritius,
you are a combofix advocate. I saw those tcpip entries in 3 hijackthis logs of computers suffering with search redirect issues here. Some of the IP adresses go to sites, others go nowhere. How do you tell if these are legitimate or not? With browser redirects, this tcpip entry was a logical concern

 

[Tmagic650]

I already 'fixed' the entry, and was running the enet scanner. Is there a way to replace that entry if needed?

As for the combofix log, that is all there is in c:\combofix.txt Though technically it is C:\Combo-fix\combofix.txt if that makes any difference.

I tried running combofix a few times and each time it restarts right after it says its preparing the log, and it never brings it up.

Are you still being redirected? What were the ESET results?

 

[kritius]

Whois the entry, they come up legit.

Delete the copy of ComboFix that you have off your desktop and then,

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


[CENTER]

[/CENTER]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

 

[christo76]

Eset is still running. I can't tell if its still re-directing because the internet connection seems to be down now. Don't know if Eset is just running off of my computer now or if it was able to maintain a connection, but IE and Firefox just bring up the "can't find the page" window.

If that entry is an issue, I may have more problems. The same (or nearly identical) entry is listed twice on this computer, which has had no issues at all. See log attached

 

[Tmagic650]

Yes christo76,
That line 17 entry is back with an addition... Let ESET finish and we will see if the redirects are still active

 

[christo76]

Tmagic, that last log was from a second computer. I posted it because it also has the O17 entry and was worried it too could have issues that haven't shown up yet.

Right now the original computer seems to have lost all internet capabilites since deleting that line and starting Eset. If I go into Network Connections in the control panel, its an empty folder. Tried making a new connection for broadband, but the network wizard says it can't make a new one because it should just work.

 

[christo76]

I restored the O17 line in Hijackthis, and the internet connection is working again. Deleted Combofix and downloaded new version and it is running now.

Eset found nothing.

 

[kritius]

Is your ISP AT&T Internet Services?

Lets focus on the actual malware, the redirects will be caused by a modified file, HijackThis will not show this, ESET will not help it.

We need to get a ComboFix log so we can see what file it is.

 

[kritius]

Yeah, Tmagic65 killed your internet connection

http://samspade.org/whois/151.164.8.201

 

[christo76]

Yes, ATT DSL is my internet service. Combofix ran and once again the log is basically empty. It finished the 50 stages, the window said "preparing log... Do not run any programs..." than after about 3-5 seconds the computer just restarted. Combofix never came back up, and after a few minutes I looked at the combofix.txt and it was same as the one posted earlier.

I realized I have been running the computer in selective start-up for the past few days, due to slow performance and the initial Fake AV. DOn't know if that has any effect on the combofix log. But I put it back to normal startup and am running combofix again, hoping to get a full log.

 

[Tmagic650]

Yeah, Tmagic65 killed your internet connection

http://samspade.org/whois/151.164.8.201

At least, I got your attention I connect to the Internet through a cable broadband router. Is that why the tcpip entry doesn't show up in my hijackthis log?

 

[christo76]

Tried combofix again, this time in normal startup, but I get the exact same thing. It says its preparing the log, then the computer restarts, and combofix doesn't start back up and the log just shows the initial info of times, locations and AV software.

Is there anything that causes this?

 

[kritius]

Some AV's can cause this, completely uninstall Avast and try again.

If that doesn't work, look in the qoobox folder for a file called ComboFix deletions or similar, post it here.

Then,

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

 

[christo76]

Combofix still didn't create full log. Should I uninstall superantispyware? I have it turned off while running combofix, but it does come up when the computer restarts.

Inside the qoobox folder there is 2 files, ndis.sys & loga. And 5 folders, BackEnv, LastRun, Quarantine, Test, TestC. None seem to have any files related to combofix or deletions.

I ran GMER. Here is the results.

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-18 19:01:20
Windows 5.1.2600 Service Pack 3
Running: oxs2vvqd.exe; Driver: C:\DOCUME~1\JULIEP~1\LOCALS~1\Temp\uxtdypod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xED3EC0B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 451 804E2AAD 3 Bytes [C0, 3E, ED] {SAR BYTE [ESI], 0xed}

---- Devices - GMER 1.0.15 ----

Device \Driver\00000340 -> \Driver\atapi \Device\Harddisk0\DR0 82F52170

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

 

[kritius]

Ok, download this file. HERE , save it to your C:\ Drive

then go to start and then run and type cmd

cd\
c:\mbr.exe -t
c:\mbr.log

A log file (c:\mbr.log) will open. Post the contents of it to your reply

 

[christo76]

Here is the mbr.log


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F52170]<<
kernel: MBR read successfully
user & kernel MBR OK

 

[kritius]

Ok,

I think I know what the problem is.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  *atapi.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[christo76]

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 10:55 on 19/11/2009 by Julie Peil (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [06:39 01/10/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [12:00 23/08/2001] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

 

[kritius]

Ok,

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  • C:\WINDOWS\system32\drivers\atapi.sys
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Do these too

C:\WINDOWS\ServicePackFiles\i386\atapi.sys
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

 

[christo76]

It says it found nothing. It wouldn't let me rescan the second file (C:\WINDOWS\ServicePackFiles\i386\atapi.sys) Just gave the results of other peoples scans, all with nothing found.

Here is the results of the other 2 I could scan.

VirSCAN.org Scanned Report :
Scanned time : 2009/11/19 11:01:02 (CST)
Scanner results: Scanners did not find malware!
File Name : atapi.sys
File Size : 96512 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 9f3a2f5aa6875c72bf062c712cfa2674
SHA1 : a719156e8ad67456556a02c34e762944234e7a44
Online report : http://virscan.org/report/34deb68e61363bfaf0b7f37d18e0ca6b.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091119220623 2009-11-19 4.08 -
AhnLab V3 2009.11.19.01 2009.11.19 2009-11-19 0.93 -
AntiVir 8.2.1.72 7.10.0.234 2009-11-19 0.09 -
Antiy 2.0.18 20091118.3273892 2009-11-18 0.02 -
Arcavir 2009 200911190236 2009-11-19 0.17 -
Authentium 5.1.1 200911191114 2009-11-19 1.41 -
AVAST! 4.7.4 091119-1 2009-11-19 0.02 -
AVG 8.5.288 270.14.73/2513 2009-11-19 0.34 -
BitDefender 7.81008.4553889 7.29017 2009-11-19 3.84 -
CA (VET) 35.1.0 7129 2009-11-18 6.92 -
ClamAV 0.95.2 10046 2009-11-19 0.02 -
Comodo 3.12 2979 2009-11-18 0.82 -
CP Secure 1.3.0.5 2009.11.19 2009-11-19 0.07 -
Dr.Web 4.44.0.9170 2009.11.19 2009-11-19 7.06 -
F-Prot 4.4.4.56 20091119 2009-11-19 1.42 -
F-Secure 7.02.73807 2009.11.19.17 2009-11-19 0.15 -
Fortinet 2.81-3.120 11.68 2009-11-19 0.24 -
GData 19.8894/19.570 20091119 2009-11-19 5.54 -
ViRobot 20091119 2009.11.19 2009-11-19 0.41 -
Ikarus T3.1.01.74 2009.11.19.74556 2009-11-19 4.26 -
JiangMin 11.0.800 2009.11.19 2009-11-19 4.32 -
Kaspersky 5.5.10 2009.11.19 2009-11-19 0.11 -
KingSoft 2009.2.5.15 2009.11.19.19 2009-11-19 0.53 -
McAfee 5.3.00 5806 2009-11-18 3.42 -
Microsoft 1.5302 2009.11.19 2009-11-19 6.25 -
Norman 6.01.09 6.01.00 2009-11-19 4.01 -
Panda 9.05.01 2009.11.18 2009-11-18 1.78 -
Trend Micro 9.000-1003 6.636.02 2009-11-19 0.00 -
Quick Heal 10.00 2009.11.19 2009-11-19 1.25 -
Rising 20.0 22.22.03.09 2009-11-19 0.94 -
Sophos 3.01.0 4.47 2009-11-19 2.84 -
Sunbelt 5518 5518 2009-11-18 1.76 -
Symantec 1.3.0.24 20091118.003 2009-11-18 0.18 -
nProtect 20091119.02 6250287 2009-11-19 3.52 -
The Hacker 6.5.0.2 v00074 2009-11-19 0.75 -
VBA32 3.12.12.0 20091118.1659 2009-11-18 2.13 -
VirusBuster 4.5.11.10 10.113.23/1992986 2009-11-19 2.40 -


VirSCAN.org Scanned Report :
Scanned time : 2009/11/19 11:05:25 (CST)
Scanner results: Scanners did not find malware!
File Name : atapi.sys
File Size : 95360 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : cdfe4411a69c224bd1d11b2da92dac51
SHA1 : a42fbfeb5a4d94118b483d7f18113aa8c329a052
Online report : http://virscan.org/report/bc653db8c6a42bf4183c8af8b4903335.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091119220623 2009-11-19 13.80 -
AhnLab V3 2009.11.19.01 2009.11.19 2009-11-19 1.06 -
AntiVir 8.2.1.72 7.10.0.234 2009-11-19 0.39 -
Antiy 2.0.18 20091118.3273892 2009-11-18 0.02 -
Arcavir 2009 200911190236 2009-11-19 0.17 -
Authentium 5.1.1 200911191114 2009-11-19 1.58 -
AVAST! 4.7.4 091119-1 2009-11-19 0.01 -
AVG 8.5.288 270.14.73/2513 2009-11-19 0.35 -
BitDefender 7.81008.4553889 7.29017 2009-11-19 3.92 -
CA (VET) 35.1.0 7129 2009-11-18 15.04 -
ClamAV 0.95.2 10046 2009-11-19 0.02 -
Comodo 3.12 2979 2009-11-18 0.95 -
CP Secure 1.3.0.5 2009.11.19 2009-11-19 0.07 -
Dr.Web 4.44.0.9170 2009.11.19 2009-11-19 7.09 -
F-Prot 4.4.4.56 20091119 2009-11-19 1.54 -
F-Secure 7.02.73807 2009.11.19.17 2009-11-19 0.14 -
Fortinet 2.81-3.120 11.68 2009-11-19 0.22 -
GData 19.8894/19.570 20091119 2009-11-19 6.78 -
ViRobot 20091119 2009.11.19 2009-11-19 0.54 -
Ikarus T3.1.01.74 2009.11.19.74556 2009-11-19 4.43 -
JiangMin 11.0.800 2009.11.19 2009-11-19 19.00 -
Kaspersky 5.5.10 2009.11.19 2009-11-19 0.11 -
KingSoft 2009.2.5.15 2009.11.19.19 2009-11-19 0.64 -
McAfee 5.3.00 5806 2009-11-18 3.38 -
Microsoft 1.5302 2009.11.19 2009-11-19 6.65 -
Norman 6.01.09 6.01.00 2009-11-19 4.01 -
Panda 9.05.01 2009.11.18 2009-11-18 7.40 -
Trend Micro 9.000-1003 6.637.00 2009-11-19 0.00 -
Quick Heal 10.00 2009.11.19 2009-11-19 1.28 -
Rising 20.0 22.22.03.09 2009-11-19 0.96 -
Sophos 3.01.0 4.47 2009-11-19 2.83 -
Sunbelt 5518 5518 2009-11-18 2.49 -
Symantec 1.3.0.24 20091118.003 2009-11-18 0.24 -
nProtect 20091119.02 6250287 2009-11-19 4.26 -
The Hacker 6.5.0.2 v00074 2009-11-19 1.02 -
VBA32 3.12.12.0 20091118.1659 2009-11-18 2.13 -
VirusBuster 4.5.11.10 10.113.23/1992986 2009-11-19 2.49 -

 

[christo76]

Kritius,
I decided to uninstall anything I thought might be causing any issues... Firefox, IE, superAS, spyseek&destroy... Then I reran combofix..... this time the log came up with something new... still not a full log, but this..

ComboFix 09-11-18.06 - Julie Peil 11/19/2009 23:54:16.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.514 [GMT -6:00]
Running from: C:\Documents and Settings\Julie Peil\Desktop\ComboFix.exe
.
ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
to: http://www.bleepingcomputer.com/submit-malware.php?channel=4


It won't let me upload the .dat file here. And at bleepingcomputer it wants to know what topic it was requested in.

I will add a .txt extension so you can download and rename it to .dat if that will help.


Also.....obviously I managed to FTP a new copy of firefox after I ran combofix, so I could upload all this. The google redirect appears to be gone. I haven't reloaded IE yet, so I don't know if that would still be affected. I know at least one other person found that when the uninstalled, then reinstalled firefox that it went away. So I don't know if the redirect portion of the virus was purely maintained within legit sections of firefox and IE, and able to avoid normal detection, or if its still in the system.

I don't plan on trusting this computer until you tell me you think its ok. I don't want to let any other computer I have linked through the router to be online at the same time if there is any chance this virus can pass through.

I do really appreciate all the time and effort you are doing to help me resolve this.